On Mon, Jun 29, 1998 at 12:22:32PM -0400, Segv wrote: > There seems to be some more problems with mailx. While browsing over the > source, I found the code that handles the '!' command. > (this appears in names.c) > > if ((shell = value("SHELL")) == NOSTR) > shell = SHELL; > execl(shell, shell, "-c", fname, 0); > > As you can see the value() function returns a pointer to the value of (the > envoriment variable) SHELL. If SHELL isn't set it defaults to /bin/bash > (consult local.h). Then execl() is called to execute the value that shell > points too. So you can execute commands with sgid mail privs. One problem > you may run into is shell's that drop privs if rgid != egid, so you could > simply write a wrapper that calls setrgid(mail) then executes the specified > command with sgid mail privs. Nope. Check out main.c, line 56: /* * Absolutely the first thing we do is save our egid * and set it to the rgid, so that we can safely run * setgid. We use the sgid (saved set-gid) to allow ourselves * to revert to the egid if we want (temporarily) to become * priveliged. */ effectivegid= getegid(); realgid= getgid(); if (setgid(realgid) <0) { perror("mailx: setgid real"); exit(1); } Now it's running with whatever priveleges you had. It switches back to these priveleges in lock.c when it needs them, then immediately switches back. > segv > <segvat_private> -- ________________ ___________________________________________ / Nathan Dorfman \ / "My problems start when the smarter bears / nathanat_private \/ and the dumber visitors intersect." / finger for PGP key \ Steve Thompson, Yosemite wildlife biologist
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:20 PDT